REPORT OF WORKING GROUP 2 TO DSTAC
April 21, 2015
SUMMARY
There is variation in current video providers’ distribution technologies and platforms, as the Multichannel Video Programming Distributor (MVPD) distribution networks were not built to a common set of nationwide standards. At a high level, the larger US Cable operators and Verizon mostly use one or both of two the two primary CAS (Conditional Access Systems) vendors, and all support CableCARD for limited services. Both US Cable and Verizon use Quadrature Amplitude Modulation (QAM) for broadcast signals while over Hybrid Fiber Coax (HFC) or B/GPON (Broadband-/Gigabit-capable Passive Optical Networks) fiber networks. Verizon adds hybrid QAM/IP for on-demand content and two-way services. Direct Broadcast Satellite (DBS) also has two major variants for transport and CAS. AT&T uses IP unicast and multicast over DSL or B/GPON fiber, with a Digital Rights Management (DRM) approach instead of CAS.
MPEG-2 is still the most common transport mechanism used for broadcast content; however, there are variations in transport structure for linear and for Video On Demand (VOD) content, and newer IP transports are starting to be used for broadcast over IP. In video encoding technology, while many older devices tied to MPEG-2 Transport in hardware are also tied to MPEG-2 video format, different variants of MPEG-2, MPEG-4 AVC and MPEG HEVC are used for video compression across MVPDs. For IP delivered content to consumer-owned devices, a range of software DRM solutions are used, across two dominant transport models, Apple HTTP Live Streaming (HLS) and Microsoft Smooth Streaming. There is a cross industry effort to standardize streaming formats using MPEG-DASH and DRM access using W3C HTML5 Encrypted Media Extensions (EME) standards.
Content protections systems, like CAS and DRM systems, are one part of the secure delivery of all providers’ commercial content and multichannel service. CAS and DRM control the authorizations that turn video on and off, but there are many threats to security and other parts of their systems that MVPDs must address.
All content protection systems, including CAS and DRM solutions, use a combination of hardware and/or software to secure delivery of video services. And most solutions have software downloadable components. Security can be improved by judicious use of hardware. For example, parts of the software solution can execute in a secure portion of the hardware (Trusted Execution Environment (TEE)) instead of on the less-secure general purpose Central Processing Unit (CPU).
Across all service providers, a widespread and fast growing approach that has developed for delivering video service to customer owned devices is through “apps.” The consumer electronics world broadly uses this app model as the means for bridging the differences between varied and rapidly changing services and varied and rapidly changing consumer electronics platforms. The app model uses IP-distributed and enabled applications with either software-downloadable DRMs or platform supported DRMs. “Over the top” video distributers, like Netflix and Amazon, have to custom build and support different versions of their client software for every different platform they support, and some device manufacturers accommodate and test against some of these applications. Multichannel providers follow the same model. Each distributor and provider delivers their video services through apps to millions of customer-owned IP-enabled devices, including iOS, Android, Mac/OS X, PC/Windows, Xbox, Roku, Kindle, and a variety of Smart TVs.
There are early deployments of VidiPath and broad deployment of RVU technology, developed in multi-industry bodies, for delivering multichannel service via apps to client devices on home networks. VidiPath supports IP video delivery through an in-home device and/or “cloud-to-ground” delivery directly from a network to the client. These application approaches abstract the diversity and complexity of service providers’ access network technologies and customer-owned IP devices, accommodate rapid change and innovation by both service providers and consumer electronics manufacturers, and may make use of a combination of software-downloadable security with hardware roots of trust. VidiPath leverages browser technology to present the MVPD’s user interface as part of the consumer device navigation framework, but does not directly provide for access to MVPD content via third-party UI today.
OVERVIEW: SOFTWARE, HARDWARE AND DOWNLOADABLE SECURITY
All content protection systems, including CAS and DRM solutions, use hardware and/or software to secure delivery of video services. Although CableCARD has downloadable elements, it is not considered a downloadable CAS solution. There are different capabilities and therefore robustness of solutions in what features the hardware provides to assist the software in securing the solution. Most solutions have a way to download the software component. A downloadable CAS solution can include combinations of software component, hardware component, Trusted Execution Environment provided by the hardware, secure download model for the software component, and secure root of trust that can authenticate the hardware so the software can trust it.
Content protection systems vary in how and when the content protection system is installed:
-
Built-in: Some content-protection systems are installed at time of device manufacture. While they may include some software-updatable components, they cannot be changed.
-
Hardware installable: Some content-protection systems consist of hardware that can be installed into a device by the operator or by the consumer into an external hardware connector. For example, a smart card content-protection system is installed into a smart card reader external hardware connector, while a CableCARD (and DVB-CI) are installed into a PCMCIA external hardware connector. While they may include some software updatable components, they require installation of hardware to an external connector.
-
Software downloadable: Some content-protection systems consist of a software-only module that is installed onto a device through downloading. For example, content-protection in PC Web browsers uses software downloadable DRMs. Software downloadable DRMs run on the general-purpose CPU of the device and may also use TEEs, if present, but don’t require any hardware to be installed via a external hardware connector.
There is a range of security depending on the type and use of hardware elements. For example the security of the solution can be improved by judicious use of hardware. Hardware elements can be used to keep some elements more secure, for example having parts of the software execute in a secure portion of the hardware (Trusted Execution Environment) instead of the general purpose CPU so that secrets are not exposed in general purpose RAM or on accessible buses within the device. For many solutions on consumer devices such software-only DRM used on tablets and PCs, the general purpose CPU is not used as a hardware element of security and the software component may try to obfuscate critical elements (object code, variable names, cryptographic elements, etc.) because of the lack of secure hardware components.
There are standardization efforts underway for these trusted execution environments, secure download models, and common ciphers/scramblers. There is work underway in W3C to develop a standard for an application interface to a DRM. There is no W3C effort to standardize the DRM model.
CURRENT VIDEO PROVIDERS’ DISTRIBUTION TECHNOLOGIES
This section discusses the current distribution technologies in use today by MVPD’s. Table 1 summarizes the various CAS, core ciphers, transports, control channels, and video codecs in use.
Cable
Cable system architectures reflect fundamental differences dating from different design goals, different vendors, and different owners. The General Instruments (now ARRIS) design was tailored primarily for the more rural and less clustered systems owned by Tele-Communications, Inc., with a focus on increased channel capacity, minimized head-end cost, and centralized set-top control and authorization. The Scientific-Atlanta (now Cisco) design was tailored primarily for the more urban and clustered systems primarily owned by Time Warner Cable, with a focus on two-way interactive services such as VoD, the ability to add applications and services to set-top boxes over time, and local control and authorization. Thus, even though there are some shared elements, such as MPEG-2 video compression, there are fundamental differences in technologies for CAS, controllers, the out-of-band (OOB) communications channels used for command and control of the set-top box, network transports, QAM modulation, video codecs, core ciphers, advanced system information such as network configuration, session management, operating system, processor instruction set, interactive services, billing systems, applications necessary for presentation of services and in the set-top boxes. [3] Unlike the telephone network that was originally built to a common nationwide standard, the cable industry is a roll up of these many technologies. [4] A single company can be operating both Cisco and ARRIS systems in different parts of their network.
CableCARD technology works across all US cable systems and FiOS. There is a competitive multi-vendor set-top box market for MVPD-purchased devices in the US, including TiVo as a supplier of set-top boxes to cable operators that depends on CableCARD.
Satellite
The Direct Broadcast Satellite (DBS) architectures of DIRECTV and DISH Network contrast through fundamental differences. Although they both transmit signals one-way from satellite to ground, there are differences in orbital slots that customer outdoor units (ODUs) must face, the satellite frequencies used, antenna components such as the low-noise block downconverters (LNBs), the multiswitches used to “tune” a channel to the right input frequency and/or right satellite, the CAS systems, the RF encoding of the signals, the transport stream structures, and the set-top boxes (also known as IRDs). While both systems base multiswitch control on the DiSEqC standard, each uses proprietary extensions. The systems also support different home installation architectures. [5][8].
AT&T U-verse
AT&T delivers its U-Verse service over both copper (VDSL) and Fiber (FTTP) networks using Internet Protocol (IP) (although not using the Internet). Service is delivered from one Super Hub Office (SHO) to multiple Video Hub Offices (VHOs). Linear content is multicast to the end user, when requested. AT&T’s proprietary Instant Channel Change (ICC) unicasts to the subscriber until a multicast stream is joined. U-verse delivers a combination of Unicast and Multicast streams even for live linear channels. VOD is unicast to the subscriber on request. [2]
FiOS
Verizon’s FiOS service is a hybrid QAM and IP service. Verizon designed its downstream linear service to leverage prior work by the cable industry and emulates cable for downstream linear using an overlay wavelength on its fiber, but there is no cable RF return path, so interactivity is handled using IP. FiOS VOD is delivered using Internet Protocol (IP). Each set-top box includes two interfaces: an interface to the overlay wavelength for linear services and certain control signaling; and an IP interface for IP VOD, widgets, guide data, gaming, and certain control plane signaling. All feeds are integrated into a single service within the set-top box. [9]
Conditional Access
There is variation in conditional access deployment and use among all providers.
Diversity of conditional access can be a source of strength in security by reducing the target size (and raising the proportional costs to an attacker) and by reducing the consequences of a breach. For example, both satellite companies have designed their conditional access to accommodate ongoing and continual evolution in the CAS used with their customer base. [6] Cable operators use a variety of CAS systems. [3] MVPDs refresh their entitlement messaging in order to limit the amount of service that may be illegally consumed before a new entitlement message is required. [3] Table 1 summarizes variation in known, deployed CAS systems, each of which has its own unique licensing and trust infrastructure, along with the associated core ciphers, transports, control channels, and video codecs in use.
Table 1 – Currently Deployed CAS Systems [3][24]
Terrestrial methods are included because some DBS implementations still use local off-air broadcast pickup at the set-top box. “Universal DTA” CAS is designed to work with both Cisco and ARRIS conditional access.
Verizon operates cable systems which support both MediaCipher and PowerKey at the same time on the same distribution plant using key sharing technology similar to Simulcrypt, where the MediaCipher is the key master, e.g. creates the key content scrambling key used by the PowerKey. These systems operate using only the Common Scrambling Algorithm (CSA) scrambling mode. Some Time Warner Cable systems use the Cisco Overlay feature which supports both DigiCipher and PowerKey use at the same time. The Cisco Overlay feature uses selective multiple encryption to independently encrypt content where critical packets are duplicated and each copy separately encrypted with DigiCipher and PowerKey. Non-critical packets are sent in-the-clear. Cisco Overlay is very similar to Sony Passage. With Cisco overlay, neither CAS is the “key master” and specific use of CSA is not required.
CAS vendor Verimatrix’s presentation showed how an operator CPE device can terminate the network CAS and apply multiple third-party DRMs and content protection to reach various kinds of devices. Watermarking can extend forensic tools beyond the operator CAS to permit after-the-fact detection of the source of security breaches. [21]
PROTECTION AGAINST SECURITY THREATS AND RISKS
CAS and DRM are a small but necessary part of the secure delivery of commercial content and multichannel service. Service providers use other techniques to protect against security threats and risks. CAS turns video on and off, but there are many other threats that MVPDs must address:
-
threats that arise through circumvention of content license restrictions;
-
threats to the chain of trust model that assures secure flow of content from content supplier to the distributor to the consumer;
-
threats to privacy protections; and
-
threats to the service itself, such as failure to render service, failure to support billing, or interference with advertising.
MVPDs address these threats through a variety of technological measures
Content license restrictions on geographic or device segmentation
All video distributors assemble a collection of licensed commercial content through individually-negotiated copyright licenses with content owners and licensors (for example, for the right to carry ESPN) and retransmission consent agreements for terrestrial broadcasts (for example, for the right to carry FOX broadcasting affiliates in particular local markets). All are bound separately by the varying terms of these bilateral agreements.
Content providers segment the market through licenses. For example, they impose geographic and mobility restrictions on distribution, such as distinguishing the right to distribute content in-home versus out-of-home, or licensing on some devices or DRM systems but not others. Not all content is licensed for reception on all devices. Licensors typically value their content higher when distribution is closer to its original release than at later dates, and content at a higher resolution is generally valued higher than at lower resolution. [3] Thus, certain platforms or devices that have a higher level of security may enjoy higher resolution content or earlier release window content than devices with a lower level of security. [6] “Over the top” providers are also part of this licensing system. As the Wall Street Journal recently explained, “Virtually every major online video player is in the market for the kind of ‘premium’ programming that traditional entertainment firms create.” [11]
When licensing to multichannel platforms, agreements between service providers and content providers enforce availability windows, define channel placement and the neighborhood in which the channel is located, subscription tier placement, acceptable advertising, scope of distribution permitted, and security requirements. Content providers may negotiate terms to assure a uniform nationwide presentation and provide consumers with a consistent experience with their branded content. Content may be licensed to a distributor for in home distribution, but only a subset is licensed for out of home use. [6] One provider noted how its Mosaic service included licensed thumbnails, but use of the thumbnails came with license restrictions and application requirements. [18] Some satellite licenses require geolocation of the subscriber account, or remote, IP-connected consumer device. Other satellite licenses forbid outputs to televisions that lack the HDCP protection required to enforce license restrictions on copy control and redistribution. [6] Licenses for VOD may require a network branded point of entry for the VOD library, rather than simply commingling that network’s licensed content with other VOD. For “over the top” distribution, HBO has announced that it will initially exclusively launch on iOS (exclusivity is only for 90 days) and Cablevision; SlingTV includes ESPN; but ESPN has not yet licensed its content for Sony’s new Internet television service, Vue. [15] Copyright and contract requirements all inform these different business models.
Programs are licensed to distributors (MVPDs and “over the top” video distributers). The distributors select and negotiate license rights from content providers and other rights holders (for example, licensors of program guide data), combine them with a variety of features (guides, on-demand, Start Over, look back, etc.), search tools, specialized applications, and cross-platform features like on-screen caller ID, and compile these into distinctive, branded offerings. [3][14][12][2]. Some WG members would prefer to separate programming from MVPD application features and create their own distinctive, branded offering on a competitive navigation device.
Over the top video distributors continue to emerge rapidly. Just since the commencement of DSTAC, Sony launched its PlayStation Vue Internet TV service and its licensed channel lineup; Apple is in negotiations with television networks to provide a TV-streaming service similar to DISH Network’s Sling TV; and HBO announced the price for its new over-the-top service, to be launched exclusively on Apple devices.
Video providers use software and the delivery of an integrated service to protect against breaches of these licensing requirements. For example, the DISH guide is involved in the enforcement of varying entitlements to receive local channels, which vary depending on the location of the subscriber. DISH also uses its guide data to distinguish among program recordings that a subscriber may move to USB drive, and programming for which DISH does not have that license right. Charter’s downloadable security system uses a network adapter similar to a Conditional Access Network Handler (CANH) Adaptor, HTML extensions, and its guide to enforce restrictions in carriage and retransmission consent agreements. AT&T uses a U-Verse application to manage which outputs are permitted from a set-top box depending on the rights licensed by content providers. [1] [2] [3] [6]
The FCC’s former Encoding Rules put limits on how programming could be encoded for copy and output control in an effort to set consumer expectations with respect to various programming categories. The rules did not apply to distribution of any content over the Internet, via cable modem or DSL [28].
Chain of trust model that assures flow of content from content supplier to the distributor to the consumer
All video distributors operate within a complex system that creates a “chain of trust” from the content supplier to the distributor to the consumer with protections in place to respect the license restrictions on the content. For example, if content is licensed solely for display as an early release VOD title, there must be some protections in place so that the VOD title does not flow out from an insecure platform or device to a pirate Internet site for unrestricted redistribution. The protections connect a variety of security regimes to one another through contracts and licensing.
The trust model includes:
-
Specifying System on a Chip (SoC) and/or manufacturer‐based provisioning methods, for example to include a hardware root of trust from which a variety of trust relations can be built.
-
Specifying hardware requirements, SoC security firmware OS, software hardening measures, and digital certificates to provide assurance that the device in which the chip is placed is itself resistant to hacks.
-
Securing integration of SoC/OS/SW into receivers
-
Assuring that copy protection and use restrictions are carried through to receiver outputs – e.g., assuring that a device receiving content that is only permitted to be output for display does not make a recording; sends the content through an output with instructions that the downstream device may only display the content; and establishes a handshake with the downstream device that assures that the downstream device will respect that instruction. These copy and redistribution instructions vary and continue to evolve.
-
Proactively detecting and disabling potential security threats; countering actual hacks and where possible prosecuting the perpetrators; and supplying on‐going software upgrades in response to threats/hacks.
-
Enabling and supporting renewability.
-
Enforcing these trust conditions through device licenses (which create enforceable responsibilities), chip and device testing, affiliation agreements with enforceable restrictions, the chain of trust from content provider to the distributor, and assorted third-party beneficiary clauses providing content providers with rights of enforcement against downstream parties with whom they may have no direct contract relationship.
-
In the case of DBS, pairing the SoC with a smartcard to enable a cryptographically secure communications with hardware roots of trust.
This trust model assures the flow of commercial content from content suppliers to the various distributors so that they may include them as part of the retail offering to consumers. [3] Devices must operate within this ecosystem in order to be part of the chain of trust. In the case of MVPD-provided client devices, the “chain of trust” is maintained by components that are all specified by the MVPD. However, in the case of delivery to third-party devices, the “chain of trust” is supported by a mixture of MVPD-provided support (CAS, window controls, downloaded app, etc.) and third-party components that meet the content rights, business agreements and compliance and robustness necessary. In these cases, SW only (platform provided or downloaded) or SoC with commodity security support such as TEE and Secure Boot ROMs are used to provide the “chain of trust” to the end user.
The MovieLabs Specification for Next Generation Video and MovieLabs Specification for Enhanced Content Protection are examples of expected protections that major content providers have for securing high value content. [19] The Specification for Enhanced Content Protection requires, for example, a hardware root of trust, forensic watermarking, and corresponding video requirements for “4K” or Ultra High Definition programs. [3]
The trust model does not require uniformity in security techniques. In fact, diversity of approaches is a source of strength in security by reducing the target size and raising the costs to an attacker. For example, there can be multiple roots of trust, and there can be a variety of conditional access systems built from a common root of trust. [13] But there are consequences for devices that do not meet the expectations of content providers. Devices that do not expose a hardware root of trust to third parties will not receive the same third-party content as a device that does. [14]
Video providers use software and the delivery of an integrated service to trusted devices in order to protect against breaches of these chain of trust requirements.
Some members express the view that encoding rules and fair use should be considered a defense against content providers’ attempts to limit access to content.
For CableCARD devices, security arrangements were extended from the CableCARD to third party retail navigation devices. A regulatory and licensing framework was put in place to define retail devices’ handling of unidirectional cable linear programming. The DFAST technology license included compliance and robustness rules to secure content. The copy control information (CCI) provided a secure way to convey certain copy protection requirements from content agreements. Approved digital outputs allowed content, subject to the CCI settings, to be shared among other consumer devices that met security requirements. The Encoding Rules put limitations on what content owners could require. [22, 23, 28]
Share with your friends: |